Is alirezarezvani/ui-design-system safe?

https://github.com/openclaw/skills/tree/main/skills/alirezarezvani/ui-design-system

87
SAFE

The alirezarezvani/ui-design-system skill is a legitimate-appearing UI design system toolkit with clean SKILL.md content free of prompt injection, no credential exfiltration instructions, and a clean installation profile. Canary files were untouched and all network activity during install was limited to expected GitHub and Ubuntu endpoints. The primary residual risk is the bundled Python script (design_token_generator.py) that agents will execute at runtime — its content was not provided in the audit evidence — creating a blind spot that cannot be fully resolved through install-time monitoring alone.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 72/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 82/100 · 5%

Findings (5)

MEDIUM Bundled Python script content unverified — executed by agent at runtime -28

The skill bundles scripts/design_token_generator.py and SKILL.md directly instructs agents to execute it with user-supplied arguments (hex color codes). The script's full content was not provided in the audit evidence despite being confirmed present and read by the audit framework. If the script contains hidden logic — reading environment variables, accessing credential files, or making outbound HTTP calls — it would execute with full agent permissions when the skill's workflows are invoked. This is the primary unmitigated risk.

LOW Sensitive credential files accessed during monitoring window — attributed to audit framework -15

Inotify and auditd events show read-only access to six sensitive credential files at timestamps 1771924996 (pre-clone) and 1771925014 (post-install). Timing analysis places the first access batch 5 seconds BEFORE the git clone began, indicating these are the Oathe framework's own canary deployment operations. The second batch is the framework's post-install integrity verification. All accesses are CLOSE_NOWRITE with no subsequent network transfer. Canary integrity check confirms no tampering. The skill is not responsible for these accesses.

LOW Unverified script creates residual runtime risk despite clean install -18

A sophisticated supply-chain attack could use a legitimate-looking UI toolkit as a vehicle for a malicious Python script that only activates at runtime (not during installation). The install-time monitoring cannot assess what happens when an agent actually executes the script. However, no behavioral indicators of malicious intent were found in the skill's documentation, the canary files were untouched, and no suspicious outbound connections were made during installation.

INFO Expected outbound connection to GitHub during installation -10

The skill installation made an HTTPS connection to GitHub (140.82.121.4:443) to clone the skills monorepo and perform a sparse checkout. Additional connections to 91.189.91.49 and 185.125.188.54 are Ubuntu/Canonical infrastructure (system updates, motd-news) and are unrelated to the skill.

INFO Skill instructs output redirection to local files -5

Several SKILL.md code examples use shell output redirection (> filename) to write generated tokens to local files. This is within the expected scope of a design token generation tool and does not represent a prompt injection risk, but it does mean agents will perform filesystem writes as part of normal skill operation.